Days After Missed Ransomware Deadline, Stolen MN Schools’ Files Appear Online

Minneapolis school officials had said stolen data only available on the dark web, but files uploaded to publicly accessible platforms

Files stolen from Minneapolis Public Schools appeared Wednesday morning on Telegram, the encrypted instant messaging service. (Screenshot)

Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter

A trove of files purportedly stolen from Minneapolis Public Schools has turned up on the internet days after a cyber gang announced the school system had missed its deadline to pay a $1 million ransom demand.

A download link was published Tuesday night on a website designed to resemble a technology news blog — an apparent front — and, by Wednesday morning, download links began to appear on Telegram, the encrypted instant messaging service that’s been used by terror groups and far-right extremists. The 74 is still working to confirm the contents of the large, roughly 92-gigabyte file.

Still, the available download is significantly smaller than the 157 terabytes — there are 1,000 gigabytes in one terabyte — the Medusa ransomware gang claims it stole from the district, according to a file tree posted this month to the criminal group’s dark web blog. That file tree suggests the records contain a significant amount of sensitive information, including student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

“Today, the hacker group ‘Medusa’ gave me data for publication that will become a hit,” notes a post on the faux technology news blog, which appears to have a direct tie to the ransomware group. The author offered a rant accusing district leaders of failing to maintain sufficient data security procedures while attempting to distance himself from illegal activities.

“Someone will tell me that this cannot be published. I will answer this simply — the only way to change rotten systems is to publicly show that they are extremely unsuitable for further use. If you don’t focus on the problems, they accumulate. I hope that the board of trustees of this organization will make the right decision on the current management of the organization.” 

Though the full scope of the breach remains unclear, current and former Minneapolis families and district employees should take immediate steps to protect themselves, cybersecurity experts said. 

“If I was a parent at this school district, or a teacher, I would assume that my data and information had been compromised and act accordingly,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. Identity theft is a primary risk that data breach victims face, Callow said, so people should consider freezing their credit and “at the very least, being extra vigilant and looking more closely at your transactions than you normally would.” 

It’s also a good time for people to implement two-factor authentication on accounts when possible and avoid reusing passwords across multiple services, said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange

Yet for people whose sensitive personal records are now available, including those related to student sexual misconduct incidents, experts said, there are no easy remedies. Potential victims should consider seeking mental health counseling, Levin said, or to create an action plan if they become the target of harassment. 

“Once that genie is out of the bottle, it is very difficult to get it back in,” Levin said. “I don’t know what the school district could do to comfort those individuals or even provide them a recourse. Credit monitoring is not going to be helpful. What is at risk is their well-being, their reputation.” 

The Minneapolis district, which has been criticized for how it publicly communicated information about a ransomware attack it first referred to as an “encryption event,” announced Friday that the ransomware group had released the stolen records on the dark web, “a part of the internet accessible only with special software that allows users to remain untraceable.” 

“We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,” the district update continued. 

However, that statement appeared premature. After a countdown clock reached zero on Medusa’s dark web blog Friday, the files weren’t readily available for download. Instead, a “Download data now!” button directed users to contact the gang through an encrypted instant-messaging protocol. 

District officials didn’t respond to requests for comment from The 74 Wednesday. Attempts by The 74 to reach the gang have been unsuccessful. 

Instead of uploading district files to the dark web blog, a download link to the Minneapolis data is available in the Telegram channel and on the faux tech news blog, which is not relegated to the dark web, does not require special tools to access and can be found through a Google search. The site also includes a 50-minute video offering a preview of files within the gang’s possession. 

In posting the download link to the “clearnet” — a publicly accessible website that’s indexed by search engines — Medusa may have lowered the technical bar for people who are interested in downloading and viewing the stolen records. But at some 92 gigabytes, Levin said the file’s size may serve as a barrier to access to cyber criminals interested in exploiting the information — and to district officials who are investigating the breach and attempting to alert those whose information has been exposed.

Comments on the Telegram channel suggest there is interest in the stolen records. Since last week, Telegram users have questioned when the file download would become available. By Wednesday afternoon, Telegram posts with links to the district data amassed more than 400 views. Viewing the links doesn’t necessarily mean the data was downloaded.

“Hey, how can I see the mps stuff,” one Telegram user asked in the ransomware group’s channel. “I”m hoping I’m not on there. I attend school and work at this district.” 

The Telegram user, who identified themselves to The 74 as an 18-year-old Minneapolis high school student, said they were trying to download the data due to concerns that it could contain their Social Security number or other sensitive information. 

Among a list of safety precautions, the district has urged the community to refrain from downloading the breached data, arguing that doing so “plays into the cybercriminals’ hands by drawing attention to the information and increasing our community’s fear and panic.” 

The district has also warned people against responding to suspicious emails or phone calls due to phishing risks and urged people to change their passwords. On Friday, the district said it was working to identify which records were compromised and planned to notify affected individuals at the end of a process that “will take some time.” 

Callow said that ransomware victims should take a proactive approach to notifying those whose data was potentially stolen, rather than waiting until investigations are concluded. 

“I would much prefer to see organizations preemptively warn people that their data may have been compromised so that they can be cautious. Forewarned is forearmed, as they say,” Callow said. “If my personal information may have been compromised, I would want to know straight away.”

Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter

Republish This Article

We want our stories to be shared as widely as possible — for free.

Please view The 74's republishing terms.

On The 74 Today